schnorr signatures – Are there CoinSwap-like protocols that do not want entry to uncooked personal keys?

From what it appears like you might be asking for a protocol that does not require the output to be locked to a key particular to the (present) protocol customers (so it’s locked to a proof that has no idea of a 3rd or secret shared key no less than).

I imagine the rationale this doesn’t exist comes down to a couple components:

1. It might drive the UTXO to be locked to a preimage through which anybody who is aware of may spend, as an alternative of this being locked to a preimage through which solely the receiving public key (who has discovered the brand new preimage) can spend. (atomic double-spend assault vector, will be ‘swapped’ with anybody on the similar time)
2. It might drive the {hardware} pockets person to make use of personal key knowledge from their actual personal key as an alternative of a brief one which is mostly used for the atomic swaps (like coinswap). This implies if the protocol they use is insecure they may leak their actual personal key. (perhaps a little bit of a stretch I suppose)
3. Secret sharing is how the atomicity is preserved. If there is no such thing as a secret to be shared from my perspective there is no such thing as a manner for a celebration to persuade you that they can not cheat. If they continue to be answerable for the key data and require you to spend with only one proof of that secret, it’s extremely potential for them to generate extra legitimate proofs which may then be used to spend regardless if in case you have one legitimate signature for it.

You want an additional DL that’s particular to the present swap or else such a signature may very well be reused by anybody realizing their very own keys. If, for instance, you reuse the identical DL for 2 completely different swaps you open up tons of double spend vectors to your counter-parties as quickly as they see the identical proof hit the blockchain once more.

One other observe: your {hardware} pockets doesn’t essentially want to carry on to those keys at any level it actually simply must signal a transaction that proves one of many keys. Typically the entire transaction metadata shouldn’t be held on the HW anyway, so on this case the additional personal secret’s simply transaction metadata in some sense.